Ask Your Question
0

Make tshark undissect the data layer

asked 2022-11-27 12:51:51 +0000

liron gravatar image

Hi, Is there any option to run tshark without dissecting the data layer? I want to get the bytes or hex of the data layer in my json output

Thanks!

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2022-11-28 18:05:09 +0000

André gravatar image

Use the option --disable-protocol to stop dissecting that protocol and treat it as data instead.

edit flag offensive delete link more

Comments

Thank you for your answer! Is there any way to disable all the data layer protocols at once? Or I must disable only specific ptorocols?

liron gravatar imageliron ( 2022-11-28 22:28:54 +0000 )edit

That depends on what you mean by "data layer protocol":

  • For 'data link layer protocol' it is probably easier to list the protocols like --disable-protocol eth
  • For protocols on top of TCP you can use the 'decode as' option: -d tcp.port==0-65535,data
André gravatar imageAndré ( 2022-11-29 18:55:41 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2022-11-27 12:50:55 +0000

Seen: 160 times

Last updated: Nov 28 '22

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark